Tuesday, November 1, 2016

The GWU Active Defense Report is a Secret Argument for Cyber Letters of Marque!

Let's talk about the Active Defense Report from GWU, starting with who wrote it, but not to bury the leed, this paper is all about an argument FOR CYBER LETTERS OF MARQUE! :)

It's always a bad sign when you have Jane Holl Lute talking about anything computer related. She spent her entire BlackHat talk saying how little she knew about the subject. This tells me they picked people by who had titles, not knowledge. But they also have Tim Evans and Nate Fick and Stewart Baker and other people who clearly DO have experience in the subject.

The first thing the paper does is of course to try to define active defense. If we go over the history of the term, it was synonymous for hacking back, and occasionally for doing some other pretty obviously illegal things, until the marketing droids at Crowdstrike who were using it daily got tons of heat and had to walk it backwards about ten steps by including a lot of stuff that is not at all active defense in their marketing material and public statements.

This paper is no different.

On the left, stuff that is in no way related to active defense! On the right, stuff that is clearly illegal! For example, "Hunting" is "looking at logs to find patterns". Let's not fall for our own marketing BS.

The smart thing to do with this paper is ignore entirely the Executive Summary where they suggest about a million things for the government to do, including the executive branch, congress, various government agencies, etc. This would be a tremendous effort of ungodly proportions! And I think it occludes the important nature of this paper, which is buried far below.

This section is where the paper starts to acknowledge the issues at hand: Government is failing to provide a protective security umbrella.

This paper drives relentlessly towards one conclusion: We need a new model for Cyber Letters of Marque. It starts subtly.

Note the highlighted section that we call "Foreshadowing".

The paper goes a bit more explicit with why this is important in the next few sections.

Let's talk about that example, because it is clearly "Hack Back", the real and only definition of active defense. But the Government is acknowledging that it currently uses selective prosecution as its current plan for Cyber Letters of Marque, and needs a new, more explicit model, which it goes on to explain as essentially the exact thing we have in this blog post over here.

The snippet from the Appendix (written by the Center for Democracy and Technology) shows how most people in Government feel about these ideas (uneasy), but they will have to get used to it.

What should make us MORE uneasy, as the paper presents in the conclusion, is the idea of doing nothing, and allowing the norm of "Not acting unless we feel like it" to be the international rule of the road. The reason cyber letters of marque are a good idea is that they explicitly address what is clearly already happening, while allowing for resources from private companies to directly solve the problems private companies are having.

While private companies are not going to be directing hacking against C2 infrastructure in this model, they will be paying for it, and getting their priorities met. This addresses a significant gap in nation-state sovereignty, and the authors of the paper argue that it needs to happen as soon as possible. This paper sneaked these ideas in there in diplomatic terms, which is a very interesting development, to say the least.